2021-02-17 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD=1702_pro23
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Signature Service
8. You got notification from DocuSign Signature Service
9. You received invoice from DocuSign Electronic Service
10. You received invoice from DocuSign Service
11. You received notification from DocuSign Electronic Service
12. You received notification from DocuSign Electronic Signature Service
13. You received notification from DocuSign Signature Service
14.  
15. SENDERS OBSERVED
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25.  
26. MALDOC LANDING PAGE URLS
27. https://docs.google.com/document/d/e/2PACX-1vQgIfA0Eba71P-4GAbtR9i4UzopM0AVx7PVI7nrYF65fUrmkjXuROsxRlQ1FVz6uOAa_9mgcwBSpEYX/pub
28. https://docs.google.com/document/d/e/2PACX-1vRdIMUUkcPV2W_XHw5WBZSOGyvwkzjZ_G15YWvoTmRJh-IR4dOQKSnTxNDTv3W57vSzTRTyWAbsrWQU/pub
29. https://docs.google.com/document/d/e/2PACX-1vSdAF6b9dDsWkDaM--xHUM-KzMQjYprAT0P6zhLpb_CGC-eE05dcTdX5tm5DVumDRvzCJ7XwB_XsPTq/pub
30. https://docs.google.com/document/d/e/2PACX-1vT10dUghgCUkjXirdGrkZtDHfU2OFKPTpous1hQPbuH58PWWi_xmweyAyzolI6Y-evxcqrbKnN1Mo90/pub
31. https://docs.google.com/document/d/e/2PACX-1vTcmrejDN5ihjM_Kc1Usu30hLGiEX1f932P2DEt_x6lQxE11EJm1o2E3sGFpUNanJcA3gsQj91tOpNZ/pub
32. https://docs.google.com/document/d/e/2PACX-1vTE15GfZYtu2PXt0P_LXK4OXELVVWTVFzrLWOtU6Asrl0lHdgR_8JTwSc7-nSvk7m0yudTNGzVpqGU1/pub
33. https://docs.google.com/document/d/e/2PACX-1vTqMpUzmOn4a2pgQDMYRK_CT8UUYeo0ePFKi2sPvFbHhaGvk4zrwW-RO_gb_WhzUxmJ91elxpJpKeXU/pub
34.  
35. MALDOC DISTRIBUTION URLS
36. http://somdeeppalace.com/slickness.php
37. https://buahpinggang.my/parma.php
38. https://jayins.com/disquieting.php
39. https://pepselectricailservice.co.uk/archiver.php
40.  
41. somdeeppalace.com
42. buahpinggang.my
43. jayins.com
44. pepselectricailservice.co.uk
45.  
46. HANCITOR MALDOC FILE HASHES
47. 0b5f29fb9e3c4b2ef56af61b6046115d
48. 1283f5be56f3834d8effcb6182d01dfa
49. 6339d90f60316aa4df36f4dfd085d320
50. ef0e5920daa89ba15bac2357bee2b502
51.  
52. HANCITOR PAYLOAD FILE HASH
53. W0rd.dll
54. 532a355471de8f834460e026ccd65150
55.  
56. HANCITOR C2
57. http://hatuderefer.com/8/forum.php
58.  
59. FICKER STEALER PAYLOAD URLS
60. http://belcineloweek.ru/6sufiuerfdvc.exe
61.  
62. FICKER STEALER FILE HASH
63. 6sufiuerfdvc.exe
64. 77be0dd6570301acac3634801676b5d7
65.  
66. FICKER STEALER C2
67. http://sweyblidian.com
68.  
69. Post .doc file download phishing page (M&T Bank):
70. https://webinfoplus.xn--mndtbnk-9m4ce.com/cashplus
71.